Slashdot Mirror

← Back to Stories (view on slashdot.org)

Amazon EC2 Enables Cheap Brute-Force Attacks

Posted by timothy on from the this-gun-for-hire dept.

snydeq writes "German white-hat hacker Thomas Roth claims he can crack WPA-PSK-protected networks in six minutes using Amazon EC2 compute power — an attack that would cost him $1.68. The key? Amazon's new cluster GPU instances. 'GPUs are (depending on the algorithm and the implementation) some hundred times faster compared to standard quad-core CPUs when it comes to brute forcing SHA-1 and MD,' Roth explained. GPU-assisted servers were previously available only in supercomputers and not to the public at large, according to Roth; that's changed with EC2. Among the questions Roth's research raises is, what role should Amazon and other public-cloud service providers play in preventing customers from using their services to commit crimes?"

2 of 212 comments (clear)

  1. None by Microlith · · Score: 1, Redundant

    They cannot arguably be capable of defining what actions being taken with an EC2 instance are and are not crimes, therefore they should not even attempt to do so. It is not, after all, their duty to do so.

    They can refuse service to those who they feel are suspicious, or cut people off if they violate some generic ToS, but surreptitiously cutting in because they think someone is committing a crime (and cracking WPA is not a crime), only runs them the risk of false positives.

    More importantly, if they really feel they are observing someone committing a crime using their service, they should stand back and report it to authorities, who (in varying degrees of accuracy) are charged with being capable of determining if a crime is taking place and have the authority to intercede.

  2. None. by harl · · Score: 1, Redundant

    Breaking news! Tools can be used for anything!
    Do you require pre-approval to use a hammer since it can be used to kill someone? What about the knives in your house?

    Just like the phone company they should pay no attention to what their systems are being used for.

    Trying to police it is a waste of resources. They start looking then people will start obfuscating the data. If I send you a big pile of data in no noticeable format (since I've grabbed only the stuff I need and catted it together) and a bunch of code it's going to take you a lot longer than 6 minutes to figure out what it does. Once you do figure it out then what's the point work has already been done?

    --
    I find being offended by me offensive.